Now that you have eliminated all the z/OS system integrity vulnerabilities you could find, re-evaluated your user validation to minimize the possibility of credentials being stolen, found all your sensitive data and eliminated unneeded copies and implemented a test data management solution, and validated the users who have access to the remaining data and transactions, it is time to evaluate how accesses by authorized users are being monitored.
Remember, there are two different scenarios that can harm your organization. One is the obvious one – a trusted employee goes rogue, obtains sensitive data and uses it in a manner that either profits him and/or harms the organization – Edward Snowden of the NSA is the poster child for this type of calamity. The other is that a loyal employee has their identity stolen and the hacker misuses it. Note that even though you have gone through the steps of securing your z/OS system, nothing is perfect and there are still vulnerabilities in the network configuration and usage that allow Userids and passwords to be passed in the clear, people doing silly things like writing down their passwords on a post-it note, someone looking over a valid user’s shoulder, etc.
This is where processes that collect usage data and analyze it, looking for unusual activity. Some examples of this are:
- A user who normally accesses the system no earlier than 7 AM and no later than 6 PM suddenly has activity at midnight. An investigation might reveal that his supervisor had an emergency situation and asked him to come back to work and perform some activities. Or, it could be nefarious activity. Only a quiet investigation will uncover the truth.
- A customer representative suddenly accesses 150-160 customer records in a day when the normal activity is about 50 per day.
- A clerk accesses a large number of employee records when normally almost none should be accessed.
- A Userid accesses the system from two incompatible locations simultaneously. Of course, it would not be that unusual for a user to have two sessions open at once, but if the IP addresses for the two different sessions indicated they came from different parts of the country/world, this is unusual activity.
- A single IP address is used for multiple system accesses using different Userids. Now there may be an innocent explanation for this, but it is something that may indicate stolen credentials.
There are several products that help in this area. Compuware’s Hiperstation Application Audit product records the input AND output from CICS, IMS, IDMS, TSO, etc. sessions with little overhead and can look at the commands and parameters being entered and the output returned. So, for example, if the output contained some keyword, like “employee” or “movie-star”, it could highlight these accesses.
The Security Information Event Management products collect information and process it. For example, the Correlog SIEM product efficiently collects information from a number of systems, including z/OS, and uses algorithms to identify and highlight “events” (unusual activity) among the huge amount of normal activity processed.
And, of course, ACF2, RACF and Top Secret, generate SMF Log Records for violations and allowed accesses to sensitive datasets and transactions and these can be analyzed to highlight unusual activity.
Note that all these processes are after-the-fact, but, remember that of the breaches made public, many of them were ongoing for months or even over a year. With proper and routine analysis, these unusual activities can be found and remediated quickly.
Next – Part 6 – Is the network connected to your mainframe secure?